Swagger UI will return API data, but my Authorized calls return "permission denied"

Question

So I believe my APIservice should be fine since I can return results through Swagger? I am calling from a WPF project. I launch the program and it asks me to login, then it continues and will tell me I don't have permission.

I'm super green to WebAPI2 and think I may just be constructing my call incorrectly. It does seem that I get a token back correctly from my site, the only issue is when I try to actually call on the API for data.

Here is my code:

public static string clientId = "{#Calling App Id}";
public static string commonAuthority = "https://login.windows.net/{#my Azure AD tenant}";
public static Uri returnUri = new Uri("http://MyDirectorySearcherApp");
const string ResourceUri = "https://{#Api App Service}.azurewebsites.net";

    public static async Task<List<User>> LoadBands(IPlatformParameters parent)
    {
        AuthenticationResult authResult = null;
        List<User> results = new List<User>();

        try {
            //get token or use refresh
            AuthenticationContext authContext = new AuthenticationContext(commonAuthority);
            if (authContext.TokenCache.ReadItems().Count() > 0)
                authContext = new AuthenticationContext(authContext.TokenCache.ReadItems().First().Authority);
            authResult = await authContext.AcquireTokenAsync(ResourceUri, clientId, returnUri, parent);

        } catch (Exception ee) {
            throw ex;
        }

        using (var httpClient = new HttpClient()) {
            using (HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, $"{ResourceUri}/api/Band/")) {
                request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
                using (var response = await httpClient.SendAsync(request)) {
                    string responseData = await response.Content.ReadAsStringAsync();
                    //responseData always equals "You do not have permission to view this directory or page"
                    return results;
                }
            }
        }

Edit: Maybe helpful to note I'm using a DataAPI that is called by a Rest API, the rest API is secured by Azure AD.

Edit: I'm calling from a Portable Class Library.

Edit: Well, I'm getting authenticated but it does not appear to make any difference. If I completely remove the Auth header I get the same result

Answer 1

It seems that the token is incorrect for the web API which protected by Azure AD. Please check the aud claim in the token which should match the Audience you config in the web API project. You can check the aud claim by parse the token from this site.

And if you still have the problem please share the code how you protect the web API.

Update

If you were using the Express mode like below, you need to acquire the access_token using the app which you associate with the web API.

If you were using the Advanced mode, we should also use the that app to acquire the token and the ResourceUri should matched the value you config in ALLOWED TOKEN AUDIENCES like below: